Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Google Bug Mozilla The Almighty Buck Technology

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program 24

Posted by samzenpus
from the professional-swatter dept.
An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."
This discussion has been archived. No new comments can be posted.

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

Comments Filter:
  • by Derek Pomery (2028) on Wednesday April 25, 2012 @05:25PM (#39800975)

    So apparently the size of the bounty isn't everything.

    'Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google's.

    Among Mozilla's advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google's program may not make the Internet safer, Kettle observed, except by example. "Mozilla's certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla," he said.'

  • by jesser (77961) on Wednesday April 25, 2012 @09:23PM (#39802619) Homepage Journal

    Mozilla, Google, and Facebook all offer bounties to researchers outside the US.

    * Mozilla has awarded bounties to researchers in several European countries.

    * Google says [google.com]: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

    * Facebook says [facebook.com]: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

    Which bounty programs are restricted to the US?

  • by Anonymous Coward on Wednesday April 25, 2012 @10:56PM (#39803117)

    Jesse Ruderman is a Mozilla employee, and one of their senior security people. He has a major voice in how their bounty program is run, so of course he's going to argue that it's better. I'm a bit disturbed that the article would fail to disclose such an important piece of information.

Some people have a great ambition: to build something that will last, at least until they've finished building it.